Vulnerability Details CVE-2021-41184
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.239
EPSS Ranking 95.7%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.3
References
- https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
- https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280
- https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/
- https://security.netapp.com/advisory/ntap-20211118-0004/
- https://www.drupal.org/sa-core-2022-001
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.tenable.com/security/tns-2022-09
- https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
- https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280
- https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/
- https://security.netapp.com/advisory/ntap-20211118-0004/
- https://www.drupal.org/sa-core-2022-001
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.tenable.com/security/tns-2022-09
Products affected by CVE-2021-41184
-
cpe:2.3:a:drupal:drupal:7.0
-
cpe:2.3:a:drupal:drupal:7.1
-
cpe:2.3:a:drupal:drupal:7.10
-
cpe:2.3:a:drupal:drupal:7.11
-
cpe:2.3:a:drupal:drupal:7.12
-
cpe:2.3:a:drupal:drupal:7.13
-
cpe:2.3:a:drupal:drupal:7.14
-
cpe:2.3:a:drupal:drupal:7.15
-
cpe:2.3:a:drupal:drupal:7.16
-
cpe:2.3:a:drupal:drupal:7.17
-
cpe:2.3:a:drupal:drupal:7.18
-
cpe:2.3:a:drupal:drupal:7.19
-
cpe:2.3:a:drupal:drupal:7.2
-
cpe:2.3:a:drupal:drupal:7.20
-
cpe:2.3:a:drupal:drupal:7.21
-
cpe:2.3:a:drupal:drupal:7.22
-
cpe:2.3:a:drupal:drupal:7.23
-
cpe:2.3:a:drupal:drupal:7.24
-
cpe:2.3:a:drupal:drupal:7.25
-
cpe:2.3:a:drupal:drupal:7.26
-
cpe:2.3:a:drupal:drupal:7.27
-
cpe:2.3:a:drupal:drupal:7.28
-
cpe:2.3:a:drupal:drupal:7.29
-
cpe:2.3:a:drupal:drupal:7.3
-
cpe:2.3:a:drupal:drupal:7.30
-
cpe:2.3:a:drupal:drupal:7.31
-
cpe:2.3:a:drupal:drupal:7.32
-
cpe:2.3:a:drupal:drupal:7.33
-
cpe:2.3:a:drupal:drupal:7.34
-
cpe:2.3:a:drupal:drupal:7.35
-
cpe:2.3:a:drupal:drupal:7.36
-
cpe:2.3:a:drupal:drupal:7.37
-
cpe:2.3:a:drupal:drupal:7.38
-
cpe:2.3:a:drupal:drupal:7.39
-
cpe:2.3:a:drupal:drupal:7.4
-
cpe:2.3:a:drupal:drupal:7.40
-
cpe:2.3:a:drupal:drupal:7.41
-
cpe:2.3:a:drupal:drupal:7.42
-
cpe:2.3:a:drupal:drupal:7.43
-
cpe:2.3:a:drupal:drupal:7.44
-
cpe:2.3:a:drupal:drupal:7.5
-
cpe:2.3:a:drupal:drupal:7.50
-
cpe:2.3:a:drupal:drupal:7.51
-
cpe:2.3:a:drupal:drupal:7.52
-
cpe:2.3:a:drupal:drupal:7.53
-
cpe:2.3:a:drupal:drupal:7.54
-
cpe:2.3:a:drupal:drupal:7.55
-
cpe:2.3:a:drupal:drupal:7.56
-
cpe:2.3:a:drupal:drupal:7.57
-
cpe:2.3:a:drupal:drupal:7.58
-
cpe:2.3:a:drupal:drupal:7.59
-
cpe:2.3:a:drupal:drupal:7.6
-
cpe:2.3:a:drupal:drupal:7.60
-
cpe:2.3:a:drupal:drupal:7.61
-
cpe:2.3:a:drupal:drupal:7.62
-
cpe:2.3:a:drupal:drupal:7.63
-
cpe:2.3:a:drupal:drupal:7.64
-
cpe:2.3:a:drupal:drupal:7.65
-
cpe:2.3:a:drupal:drupal:7.66
-
cpe:2.3:a:drupal:drupal:7.67
-
cpe:2.3:a:drupal:drupal:7.68
-
cpe:2.3:a:drupal:drupal:7.69
-
cpe:2.3:a:drupal:drupal:7.7
-
cpe:2.3:a:drupal:drupal:7.70
-
cpe:2.3:a:drupal:drupal:7.71
-
cpe:2.3:a:drupal:drupal:7.72
-
cpe:2.3:a:drupal:drupal:7.73
-
cpe:2.3:a:drupal:drupal:7.74
-
cpe:2.3:a:drupal:drupal:7.75
-
cpe:2.3:a:drupal:drupal:7.76
-
cpe:2.3:a:drupal:drupal:7.77
-
cpe:2.3:a:drupal:drupal:7.78
-
cpe:2.3:a:drupal:drupal:7.79
-
cpe:2.3:a:drupal:drupal:7.8
-
cpe:2.3:a:drupal:drupal:7.80
-
cpe:2.3:a:drupal:drupal:7.81
-
cpe:2.3:a:drupal:drupal:7.82
-
cpe:2.3:a:drupal:drupal:7.83
-
cpe:2.3:a:drupal:drupal:7.84
-
cpe:2.3:a:drupal:drupal:7.85
-
cpe:2.3:a:drupal:drupal:7.9
-
cpe:2.3:a:drupal:drupal:9.2.0
-
cpe:2.3:a:drupal:drupal:9.2.1
-
cpe:2.3:a:drupal:drupal:9.2.10
-
cpe:2.3:a:drupal:drupal:9.2.2
-
cpe:2.3:a:drupal:drupal:9.2.3
-
cpe:2.3:a:drupal:drupal:9.2.4
-
cpe:2.3:a:drupal:drupal:9.2.5
-
cpe:2.3:a:drupal:drupal:9.2.6
-
cpe:2.3:a:drupal:drupal:9.2.7
-
cpe:2.3:a:drupal:drupal:9.2.8
-
cpe:2.3:a:drupal:drupal:9.2.9
-
cpe:2.3:a:drupal:drupal:9.3.0
-
cpe:2.3:a:drupal:drupal:9.3.1
-
cpe:2.3:a:drupal:drupal:9.3.2
-
cpe:2.3:a:jqueryui:jquery_ui:1.0
-
cpe:2.3:a:jqueryui:jquery_ui:1.10.0
-
cpe:2.3:a:jqueryui:jquery_ui:1.10.1
-
cpe:2.3:a:jqueryui:jquery_ui:1.10.2
-
cpe:2.3:a:jqueryui:jquery_ui:1.10.3
-
cpe:2.3:a:jqueryui:jquery_ui:1.10.4
-
cpe:2.3:a:jqueryui:jquery_ui:1.11.0
-
cpe:2.3:a:jqueryui:jquery_ui:1.11.1
-
cpe:2.3:a:jqueryui:jquery_ui:1.11.2
-
cpe:2.3:a:jqueryui:jquery_ui:1.11.3
-
cpe:2.3:a:jqueryui:jquery_ui:1.11.4
-
cpe:2.3:a:jqueryui:jquery_ui:1.12.0
-
cpe:2.3:a:jqueryui:jquery_ui:1.12.1
-
cpe:2.3:a:jqueryui:jquery_ui:1.5
-
cpe:2.3:a:jqueryui:jquery_ui:1.5.1
-
cpe:2.3:a:jqueryui:jquery_ui:1.5.2
-
cpe:2.3:a:jqueryui:jquery_ui:1.5.3
-
cpe:2.3:a:jqueryui:jquery_ui:1.6
-
cpe:2.3:a:jqueryui:jquery_ui:1.7
-
cpe:2.3:a:jqueryui:jquery_ui:1.7.1
-
cpe:2.3:a:jqueryui:jquery_ui:1.7.2
-
cpe:2.3:a:jqueryui:jquery_ui:1.8
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.1
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.10
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.11
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.12
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.13
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.14
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.15
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.16
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.17
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.18
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.19
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.2
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.20
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.21
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.22
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.23
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.24
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.3
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.4
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.5
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.6
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.7
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.8
-
cpe:2.3:a:jqueryui:jquery_ui:1.8.9
-
cpe:2.3:a:jqueryui:jquery_ui:1.9.0
-
cpe:2.3:a:jqueryui:jquery_ui:1.9.1
-
cpe:2.3:a:jqueryui:jquery_ui:1.9.2
-
cpe:2.3:a:oracle:agile_plm:9.3.6
-
cpe:2.3:a:oracle:application_express:-
-
cpe:2.3:a:oracle:application_express:18.2
-
cpe:2.3:a:oracle:application_express:19.1
-
cpe:2.3:a:oracle:application_express:19.2
-
cpe:2.3:a:oracle:application_express:20.1
-
cpe:2.3:a:oracle:application_express:20.2
-
cpe:2.3:a:oracle:application_express:21.1.0
-
cpe:2.3:a:oracle:application_express:21.1.0.00.01
-
cpe:2.3:a:oracle:application_express:21.1.4
-
cpe:2.3:a:oracle:application_express:3.0
-
cpe:2.3:a:oracle:application_express:3.1
-
cpe:2.3:a:oracle:application_express:3.2
-
cpe:2.3:a:oracle:application_express:4.0
-
cpe:2.3:a:oracle:application_express:4.1
-
cpe:2.3:a:oracle:application_express:4.2
-
cpe:2.3:a:oracle:application_express:5.0
-
cpe:2.3:a:oracle:application_express:5.0.4
-
cpe:2.3:a:oracle:application_express:5.1.0
-
cpe:2.3:a:oracle:application_express:5.1.1
-
cpe:2.3:a:oracle:application_express:5.1.2
-
cpe:2.3:a:oracle:application_express:5.1.2.00.09
-
cpe:2.3:a:oracle:application_express:5.1.3
-
cpe:2.3:a:oracle:application_express:5.1.3.00.05
-
cpe:2.3:a:oracle:application_express:5.1.4
-
cpe:2.3:a:oracle:application_express:5.1.4.00.08
-
cpe:2.3:a:oracle:banking_platform:2.12.0
-
cpe:2.3:a:oracle:banking_platform:2.9.0
-
cpe:2.3:a:oracle:big_data_spatial_and_graph:-
-
cpe:2.3:a:oracle:big_data_spatial_and_graph:2.0
-
cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1
-
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4
-
cpe:2.3:a:oracle:communications_operations_monitor:4.3
-
cpe:2.3:a:oracle:communications_operations_monitor:4.4
-
cpe:2.3:a:oracle:communications_operations_monitor:5.0
-
cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0
-
cpe:2.3:a:oracle:hospitality_materials_control:18.1
-
cpe:2.3:a:oracle:hospitality_suite8:8.10.2
-
cpe:2.3:a:oracle:hospitality_suite8:8.11.0
-
cpe:2.3:a:oracle:hospitality_suite8:8.11.0.0
-
cpe:2.3:a:oracle:hospitality_suite8:8.12
-
cpe:2.3:a:oracle:hospitality_suite8:8.12.0
-
cpe:2.3:a:oracle:hospitality_suite8:8.12.0.0
-
cpe:2.3:a:oracle:hospitality_suite8:8.13
-
cpe:2.3:a:oracle:hospitality_suite8:8.13.0
-
cpe:2.3:a:oracle:hospitality_suite8:8.14
-
cpe:2.3:a:oracle:hospitality_suite8:8.14.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:-
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:4.0.1.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1.5
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.0.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.3
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.6.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.6.1
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.6.3
-
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58
-
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59
-
cpe:2.3:a:oracle:policy_automation:12.2.0
-
cpe:2.3:a:oracle:policy_automation:12.2.1
-
cpe:2.3:a:oracle:policy_automation:12.2.10
-
cpe:2.3:a:oracle:policy_automation:12.2.11
-
cpe:2.3:a:oracle:policy_automation:12.2.12
-
cpe:2.3:a:oracle:policy_automation:12.2.13
-
cpe:2.3:a:oracle:policy_automation:12.2.14
-
cpe:2.3:a:oracle:policy_automation:12.2.15
-
cpe:2.3:a:oracle:policy_automation:12.2.2
-
cpe:2.3:a:oracle:policy_automation:12.2.20
-
cpe:2.3:a:oracle:policy_automation:12.2.3
-
cpe:2.3:a:oracle:policy_automation:12.2.4
-
cpe:2.3:a:oracle:policy_automation:12.2.5
-
cpe:2.3:a:oracle:policy_automation:12.2.6
-
cpe:2.3:a:oracle:policy_automation:12.2.7
-
cpe:2.3:a:oracle:policy_automation:12.2.8
-
cpe:2.3:a:oracle:policy_automation:12.2.9
-
cpe:2.3:a:oracle:primavera_unifier:17.10
-
cpe:2.3:a:oracle:primavera_unifier:17.11
-
cpe:2.3:a:oracle:primavera_unifier:17.12
-
cpe:2.3:a:oracle:primavera_unifier:17.7
-
cpe:2.3:a:oracle:primavera_unifier:17.8
-
cpe:2.3:a:oracle:primavera_unifier:17.9
-
cpe:2.3:a:oracle:primavera_unifier:18.8
-
cpe:2.3:a:oracle:primavera_unifier:19.12
-
cpe:2.3:a:oracle:primavera_unifier:20.12
-
cpe:2.3:a:oracle:primavera_unifier:21.12
-
cpe:2.3:a:oracle:rest_data_services:11.2.0.4
-
cpe:2.3:a:oracle:rest_data_services:12.1.0.2
-
cpe:2.3:a:oracle:rest_data_services:12.2.0.1
-
cpe:2.3:a:oracle:rest_data_services:18c
-
cpe:2.3:a:oracle:rest_data_services:19c
-
cpe:2.3:a:oracle:rest_data_services:20.4.3.050.1904
-
cpe:2.3:a:oracle:rest_data_services:21.2
-
cpe:2.3:a:oracle:rest_data_services:21.2.4
-
cpe:2.3:a:oracle:rest_data_services:21.3
-
cpe:2.3:a:oracle:rest_data_services:22.1.1
-
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0
-
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0
-
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0
-
cpe:2.3:a:tenable:tenable.sc:-
-
cpe:2.3:a:tenable:tenable.sc:5.13.0
-
cpe:2.3:a:tenable:tenable.sc:5.14.0
-
cpe:2.3:a:tenable:tenable.sc:5.14.1
-
cpe:2.3:a:tenable:tenable.sc:5.16.0
-
cpe:2.3:a:tenable:tenable.sc:5.17.0
-
cpe:2.3:a:tenable:tenable.sc:5.18.0
-
cpe:2.3:a:tenable:tenable.sc:5.19.0
-
cpe:2.3:a:tenable:tenable.sc:5.19.1
-
cpe:2.3:a:tenable:tenable.sc:5.20.0
-
cpe:2.3:a:tenable:tenable.sc:5.20.1
-
cpe:2.3:h:netapp:h300e:-
-
cpe:2.3:h:netapp:h300s:-
-
cpe:2.3:h:netapp:h410c:-
-
cpe:2.3:h:netapp:h410s:-
-
cpe:2.3:h:netapp:h500e:-
-
cpe:2.3:h:netapp:h500s:-
-
cpe:2.3:h:netapp:h700e:-
-
cpe:2.3:h:netapp:h700s:-
-
cpe:2.3:o:fedoraproject:fedora:33
-
cpe:2.3:o:fedoraproject:fedora:34
-
cpe:2.3:o:fedoraproject:fedora:35
-
cpe:2.3:o:fedoraproject:fedora:36
-
cpe:2.3:o:netapp:h300e_firmware:-
-
cpe:2.3:o:netapp:h300s_firmware:-
-
cpe:2.3:o:netapp:h410c_firmware:-
-
cpe:2.3:o:netapp:h410s_firmware:-
-
cpe:2.3:o:netapp:h500e_firmware:-
-
cpe:2.3:o:netapp:h500s_firmware:-
-
cpe:2.3:o:netapp:h700e_firmware:-
-
cpe:2.3:o:netapp:h700s_firmware:-